Azure PIM Removing a Eligibility Schedule Request on an Azure Role
I'm trying to manage PIM flows on Azure Roles using the rest API. Creating one works. I can ensure that a particular group is eligible to become, e.g., a Contributor on a subscription. Updating or deleting that, however, throws errors. If I understand the documentation correctly, I need the create endpoint for all actions: https://learn.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-requests/create?view=rest-authorization-2020-10-01&tabs=HTTP
Here's my script:
$url = "$baseUrl/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/${guid}?api-version=2020-10-01"
$currentDateTime = Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'
$body = @{
"properties" = @{
"roleDefinitionId" = "$roleDefinitionId"
"PrincipalId" = "$principalId"
"RequestType" = "AdminRemove"
"scheduleInfo" = @{
"StartDateTime" = "$currentDateTime"
"Expiration" = @{
"Type" = "AfterDuration"
"EndDateTime" = "$currentDateTime"
"Duration" = "P1D"
}
}
}
} | ConvertTo-Json -Depth 10
# Create the resource if it doesn't exist
$response = Invoke-RestMethod -Uri $url -Method Put -Headers $headers -Body $body
Here, I use the AdminRemove RequestType trying to remove the setting. It throws: "A role assignment request with Id: already exist"
The same happens when I, for example, use AdminUpdate or AdminExtend.
How should I be able to remove the PIM flow?
I have one eligibility schedule request on Azure role added to DemoSri group as below:
When I ran your script to remove above eligibility schedule request, I too got same error like this:
$baseUrl = "https://management.azure.com"
$scope = "/subscriptions/subId"
$guid = "eligibilityScheduleRequestId"
$url = "$baseUrl/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/${guid}?api-version=2020-10-01"
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
$currentDateTime = Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'
$roleDefinitionId = "b24988ac-6180-42a0-ab88-20f7382dd24c"
$principalId = "groupId"
$body = @{
"properties" = @{
"roleDefinitionId" = "$roleDefinitionId"
"PrincipalId" = "$principalId"
"RequestType" = "AdminRemove"
"scheduleInfo" = @{
"StartDateTime" = "$currentDateTime"
"Expiration" = @{
"Type" = "AfterDuration"
"EndDateTime" = "$currentDateTime"
"Duration" = "P1D"
}
}
}
} | ConvertTo-Json -Depth 10
$response = Invoke-RestMethod -Uri $url -Method Put -Headers $headers -Body $body
Response:
Note that, you have to provide a new GUID each time you delete or update the scheduleRequest.
To resolve the error, I ran below modified script and got response like this:
$baseUrl = "https://management.azure.com"
$scope = "/subscriptions/subId"
$guid = (New-Guid).Guid
$url = "$baseUrl/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/${guid}?api-version=2020-10-01"
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
$currentDateTime = Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'
$roleDefinitionId = "/subscriptions/subID/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
$principalId = "groupId"
$body = @{
"properties" = @{
"roleDefinitionId" = "$roleDefinitionId"
"PrincipalId" = "$principalId"
"RequestType" = "AdminRemove"
"scheduleInfo" = @{
"StartDateTime" = "$currentDateTime"
"Expiration" = @{
"Type" = "AfterDuration"
"EndDateTime" = "$currentDateTime"
"Duration" = "P1D"
}
}
}
} | ConvertTo-Json -Depth 10
$response = Invoke-RestMethod -Uri $url -Method Put -Headers $headers -Body $body
$response
Response:
To confirm that, I checked the same in Portal where eligibility schedule request removed successfully:
